[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Wed Feb 22 15:10:33 UTC 2017
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------+-----------------------------
Reporter: tomdxw | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
Currently when using Content-Security-Policy with WordPress, you must use
the `unsafe-inline` directive because there are a lot of blocks of inline
JavaScript in WordPress core. This means that the browser cannot protect
the user from attacks using XSS vulnerabilities. This is an unsatisfying
situation because XSS vulnerabilities can be found in a great number of
WordPress plugins.
The patch I’m providing today makes it possible to write a plugin which
uses CSP without `unsafe-inline`. Such a plugin would make the vast
majority of XSS vulnerabilities found in WP plugins useless to an
attacker.
I’ve just added one new function: `inline_js()`. Now instead of writing
`<script>doSomething()</script>`, you would write `<?php
inline_js(‘doSomething()’) ?>`.
I’ve changed enough instances of inline JavaScript to use `inline_js()`
that you can try it out:
- Apply this patch to WordPress
- Install and activate this plugin:
https://gist.github.com/tomdxw/e2aee45ad5cb2a309c6bd0fc213efb97
- Visit /wp-admin/
- If you have any plugins or themes activated which add inline JavaScript
to the admin interface you’ll see that those have been blocked (in the
console tab of developer tools).
I’ve only changed some instances of inline JavaScript in this patch -
enough to prove that it will work.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list